@blamejs/exceptd-skills 0.13.5 → 0.13.6

package/data/cve-catalog.json

@@ -1,7 +1,7 @@
 {
   "_meta": {
     "schema_version": "1.0.0",
-    "last_updated": "2026-05-13",
+    "last_updated": "2026-05-18",
     "source": "NVD + CISA KEV + vendor advisories — see sources/index.json",
     "required_fields": [
       "type",
@@ -55,7 +55,7 @@
     "ai_discovery_methodology": {
       "field_added": "2026-05-15",
       "agents_md_target": "Hard Rule #7 — '41% of 2025 zero-days were AI-discovered'. Catalog target rate floor: 0.40.",
-      "current_rate": 0.132,
+      "current_rate": 0.1791,
       "current_floor_enforced_by_test": 0.13,
       "ladder_to_target": [
         0.13,
@@ -3657,5 +3657,1967 @@
     "_draft": false,
     "last_updated": "2026-05-17",
     "discovery_attribution_note": "Vendor-internal discovery by Fortinet PSIRT, disclosed 2024-02-08 via advisory FG-IR-24-015. No external researcher byline. CISA KEV-listed 2024-02-09 with a 7-day federal remediation deadline. Post-exploitation symlink-persistence technique documented in Fortinet's 2025-04-11 advisory after operators reported residual filesystem access on devices patched after compromise."
+  },
+  "CVE-2025-10585": {
+    "id": "CVE-2025-10585",
+    "name": "Google Chrome V8 Type Confusion Zero-Day (TAG-disclosed)",
+    "type": "type-confusion-rce",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cisa_kev": true,
+    "cisa_kev_date": "2025-09-23",
+    "cisa_kev_due_date": "2025-10-14",
+    "poc_available": true,
+    "poc_description": "In-the-wild exploit observed by Google TAG prior to disclosure; rendered web content triggers V8 type-confusion in WebAssembly/JIT path leading to renderer RCE. Full chain typically pairs with a Chromium sandbox escape for full system compromise.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Discovered and reported by Google Threat Analysis Group (TAG) — human researcher attribution. Disclosure date 2025-09-16.",
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "confirmed",
+    "affected": "Google Chrome Stable channel < 140.0.7339.185 (Linux), < 140.0.7339.185/186 (Windows/Mac); downstream Chromium browsers (Microsoft Edge, Brave, Opera, Vivaldi) prior to backport.",
+    "affected_versions": [
+      "chrome < 140.0.7339.185"
+    ],
+    "vector": "Malicious web page served to a Chrome user; V8 type-confusion in JIT-compiled code yields arbitrary read/write inside the renderer process.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Browser patch cadence in standard configuration baselines does not reflect a 4-hour exploit window for an in-the-wild V8 zero-day with KEV listing.",
+      "ISO-27001-2022-A.8.8": "'Appropriate timescales' undefined for browser zero-days; enterprise patch windows often measured in weeks.",
+      "CIS-Controls-v8-7.4": "Automated browser updates assumed but enterprise managed-update deferral (often 7-30 days for QA) leaves the renderer exposed.",
+      "NIS2-Art21-patch-management": "No explicit guidance on browser zero-day SLA for endpoint estates."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1189",
+      "T1203"
+    ],
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_score": 75,
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-10585",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+      "https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_17.html"
+    ],
+    "source_verified": "2026-05-18",
+    "last_updated": "2026-05-18",
+    "vendor_advisories": [
+      {
+        "vendor": "Google",
+        "advisory_id": null,
+        "url": "https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_17.html",
+        "severity": "high",
+        "published_date": "2025-09-17"
+      }
+    ],
+    "discovery_attribution_note": "Discovered and reported by Google Threat Analysis Group (TAG) — human researcher attribution. Disclosure date 2025-09-16. Source: https://nvd.nist.gov/vuln/detail/CVE-2025-10585",
+    "live_patch_tools": []
+  },
+  "CVE-2025-14174": {
+    "id": "CVE-2025-14174",
+    "name": "Apple WebKit Memory Corruption Zero-Day (Targeted Spyware)",
+    "type": "memory-corruption-rce",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cisa_kev": true,
+    "cisa_kev_date": "2025-12-15",
+    "cisa_kev_due_date": "2026-01-05",
+    "poc_available": false,
+    "poc_description": "No public PoC; exploit observed in targeted attacks against specific individuals consistent with commercial-spyware / nation-state operator tradecraft. Apple characterized the activity as 'extremely sophisticated'.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Discovery credit not publicly disclosed by Apple at time of patch; targeted-spyware operator activity rather than AI-assisted discovery.",
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "confirmed",
+    "affected": "Apple WebKit on iOS/iPadOS prior to 18.7.3 and 26.2; macOS Tahoe 26.2; Safari 26.2; tvOS/watchOS/visionOS 26.2.",
+    "affected_versions": [
+      "iOS < 18.7.3",
+      "iPadOS < 18.7.3",
+      "iOS < 26.2",
+      "macOS Tahoe < 26.2",
+      "Safari < 26.2"
+    ],
+    "vector": "Maliciously crafted web content rendered by WebKit triggers memory corruption; commonly chained with a kernel exploit for full sandbox escape.",
+    "patch_available": true,
+    "patch_required_reboot": true,
+    "live_patch_available": false,
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Standard mobile patch baselines (often monthly) do not meet the operational reality of targeted-spyware deployment within hours of exploit availability.",
+      "ISO-27001-2022-A.8.8": "Mobile endpoint patching often deferred to user-action; no MDM-enforced 'KEV-class within 24h' control prescribed.",
+      "NIS2-Art21-patch-management": "Mobile estates are usually out of scope of enterprise patch SLA in mid-market deployments."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1189",
+      "T1203",
+      "T1212"
+    ],
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 0,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 20,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 5
+    },
+    "rwep_score": 55,
+    "verification_sources": [
+      "https://support.apple.com/en-us/HT215000",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-14174"
+    ],
+    "source_verified": "2026-05-18",
+    "last_updated": "2026-05-18",
+    "vendor_advisories": [
+      {
+        "vendor": "Apple",
+        "advisory_id": null,
+        "url": "https://support.apple.com/en-us/HT215000",
+        "severity": "high",
+        "published_date": "2025-12-15"
+      }
+    ],
+    "discovery_attribution_note": "Discovery credit not publicly disclosed by Apple at time of patch; targeted-spyware operator activity rather than AI-assisted discovery. Source: https://support.apple.com/en-us/HT215000",
+    "live_patch_tools": []
+  },
+  "CVE-2025-43529": {
+    "id": "CVE-2025-43529",
+    "name": "Apple WebKit Use-After-Free (DarkSword 1-click chain)",
+    "type": "use-after-free-rce",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cisa_kev": true,
+    "cisa_kev_date": "2025-12-15",
+    "cisa_kev_due_date": "2026-01-05",
+    "poc_available": true,
+    "poc_description": "Primary 1-click initial-access vector documented in the 'DarkSword' exploit kit reporting. UAF in WebKit reachable via crafted web content; pairs cleanly with sandbox-escape primitives for full chain.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "No AI-tool credit; commercial exploit kit (DarkSword) attribution.",
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "confirmed",
+    "affected": "Apple WebKit on iOS/iPadOS prior to 18.7.3 / 26.2; macOS Tahoe 26.2; Safari 26.2 for macOS; tvOS/watchOS/visionOS 26.2.",
+    "affected_versions": [
+      "iOS < 18.7.3",
+      "iOS < 26.2",
+      "Safari < 26.2"
+    ],
+    "vector": "Crafted web content triggers UAF in WebKit allowing arbitrary code execution within the Web Content sandbox; chained with kernel/sandbox-escape CVEs for full device compromise.",
+    "patch_available": true,
+    "patch_required_reboot": true,
+    "live_patch_available": false,
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Same KEV+PoC class as CVE-2025-14174; default mobile patch SLAs are not calibrated to in-the-wild WebKit UAFs.",
+      "ISO-27001-2022-A.8.8": "Mobile-endpoint patch SLAs treat OS updates as user-pushed rather than enforced within KEV deadlines."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1189",
+      "T1203"
+    ],
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 22,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 5
+    },
+    "rwep_score": 77,
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-43529",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+      "https://support.apple.com/en-us/HT215000"
+    ],
+    "source_verified": "2026-05-18",
+    "last_updated": "2026-05-18",
+    "vendor_advisories": [
+      {
+        "vendor": "Apple",
+        "advisory_id": null,
+        "url": "https://support.apple.com/en-us/HT215000",
+        "severity": "high",
+        "published_date": "2025-12-15"
+      }
+    ],
+    "discovery_attribution_note": "No AI-tool credit; commercial exploit kit (DarkSword) attribution. Source: https://nvd.nist.gov/vuln/detail/CVE-2025-43529",
+    "live_patch_tools": []
+  },
+  "CVE-2025-4919": {
+    "id": "CVE-2025-4919",
+    "name": "Firefox SpiderMonkey Type Confusion (Pwn2Own Berlin)",
+    "type": "type-confusion-rce",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": true,
+    "poc_description": "Pwn2Own Berlin 2025 contestant exploit; a single-character typo (& vs |) in SpiderMonkey WASM-GC code produced Type Confusion enabling renderer read/write primitives. Sandbox NOT escaped in the disclosed Pwn2Own chain.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Pwn2Own competitor disclosure; same-day patch.",
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "none",
+    "affected": "Mozilla Firefox < 138.0.4, Firefox ESR < 128.10.1 and < 115.23.1, Thunderbird < 138.0.2.",
+    "affected_versions": [
+      "firefox < 138.0.4",
+      "firefox-esr < 128.10.1"
+    ],
+    "vector": "Crafted JavaScript / WebAssembly content compiled through SpiderMonkey JIT triggers Type Confusion, granting attacker primitive read/write inside the renderer.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Browser patch SLAs in enterprise baselines (often 7-day for high) lag the same-day vendor turnaround expected for a Pwn2Own-class flaw.",
+      "ISO-27001-2022-A.8.8": "Patch timescale unspecified; secondary-browser (Firefox) maintenance often deprioritized vs Chrome/Edge."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1189",
+      "T1203"
+    ],
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 15,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_score": 20,
+    "verification_sources": [
+      "https://www.mozilla.org/en-US/security/advisories/mfsa2025-36/",
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-4919"
+    ],
+    "source_verified": "2026-05-18",
+    "last_updated": "2026-05-18",
+    "vendor_advisories": [
+      {
+        "vendor": "Mozilla",
+        "advisory_id": "MFSA2025-36",
+        "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2025-36/",
+        "severity": "critical",
+        "published_date": "2025-05-17"
+      }
+    ],
+    "discovery_attribution_note": "Pwn2Own competitor disclosure; same-day patch. Source: https://www.mozilla.org/en-US/security/advisories/mfsa2025-36/",
+    "live_patch_tools": []
+  },
+  "CVE-2025-24201": {
+    "id": "CVE-2025-24201",
+    "name": "Apple WebKit Out-of-Bounds Write (Glass Cage chain, iOS sandbox escape)",
+    "type": "out-of-bounds-write-sandbox-escape",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
+    "cisa_kev": true,
+    "cisa_kev_date": "2025-03-12",
+    "cisa_kev_due_date": "2025-04-02",
+    "poc_available": true,
+    "poc_description": "Public 'Glass Cage' zero-click iMessage PNG chain on GitHub combines CVE-2025-43300 (ImageIO) + CVE-2025-24201 (WebKit OOB write) + CVE-2025-24085 (Core Media) for sandbox escape + kernel-level access + device bricking on iOS 18.2.1. Targeted exploitation observed by Apple prior to disclosure.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Apple-internal discovery in response to targeted-attack telemetry on devices running iOS prior to 17.2.",
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "confirmed",
+    "affected": "Apple WebKit on iOS < 18.3.2, iPadOS < 18.3.2, macOS Sequoia < 15.3.2, Safari < 18.3.1, visionOS < 2.3.2.",
+    "affected_versions": [
+      "iOS < 18.3.2",
+      "macOS Sequoia < 15.3.2",
+      "visionOS < 2.3.2"
+    ],
+    "vector": "Crafted web content (zero-click via iMessage when chained with ImageIO bug) escapes the Web Content sandbox via WebKit OOB write.",
+    "patch_available": true,
+    "patch_required_reboot": true,
+    "live_patch_available": false,
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "KEV-listed with public chain; standard mobile patch SLAs (often 14-30 days) do not match the 4-hour exposure window for zero-click chains.",
+      "ISO-27001-2022-A.8.8": "Mobile-OS-update timeliness is user-driven; no enforced KEV-class SLA.",
+      "ENISA-mobile-secure-baseline": "Operator MDM policy is the only enforcement layer; default Apple MDM profiles do not enforce KEV-deadline updates."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1189",
+      "T1203",
+      "T1068"
+    ],
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 5
+    },
+    "rwep_score": 80,
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-24201",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+      "https://support.apple.com/en-us/122281",
+      "https://github.com/JGoyd/Glass-Cage-iOS18-CVE-2025-24085-CVE-2025-24201"
+    ],
+    "source_verified": "2026-05-18",
+    "last_updated": "2026-05-18",
+    "vendor_advisories": [
+      {
+        "vendor": "Apple",
+        "advisory_id": null,
+        "url": "https://support.apple.com/en-us/122281",
+        "severity": "high",
+        "published_date": "2025-03-11"
+      }
+    ],
+    "discovery_attribution_note": "Apple-internal discovery in response to targeted-attack telemetry on devices running iOS prior to 17.2. Source: https://nvd.nist.gov/vuln/detail/CVE-2025-24201",
+    "live_patch_tools": []
+  },
+  "CVE-2025-43300": {
+    "id": "CVE-2025-43300",
+    "name": "Apple ImageIO Out-of-Bounds Write (DNG/JPEG-lossless, zero-click chain root)",
+    "type": "out-of-bounds-write-rce",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cisa_kev": true,
+    "cisa_kev_date": "2025-08-21",
+    "cisa_kev_due_date": "2025-09-11",
+    "poc_available": true,
+    "poc_description": "Public 'Glass Cage' chain on GitHub uses CVE-2025-43300 as the initial-access primitive (TIFF SamplesPerPixel vs JPEG SOF3 metadata mismatch). Apple confirmed in-the-wild exploitation as part of an 'extremely sophisticated attack' against targeted individuals.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Apple-internal disclosure; full attribution undisclosed.",
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "confirmed",
+    "affected": "Apple ImageIO on iOS < 18.6.2, iPadOS < 18.6.2, macOS Sequoia < 15.6.1, macOS Sonoma < 14.7.8, macOS Ventura < 13.7.8.",
+    "affected_versions": [
+      "iOS < 18.6.2",
+      "macOS Sequoia < 15.6.1",
+      "macOS Sonoma < 14.7.8",
+      "macOS Ventura < 13.7.8"
+    ],
+    "vector": "Crafted DNG / JPEG-lossless image triggers OOB write in ImageIO when TIFF SamplesPerPixel conflicts with JPEG SOF3 component count; zero-click via iMessage / WhatsApp / any auto-rendering image path.",
+    "patch_available": true,
+    "patch_required_reboot": true,
+    "live_patch_available": false,
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Zero-click image-processing CVE; default mobile patch SLAs assume user-driven update timing.",
+      "ISO-27001-2022-A.8.8": "Mobile endpoints often outside enterprise patch-management scope.",
+      "PCI-DSS-4.0-6.3.3": "1-month critical SLA insufficient for an in-the-wild zero-click chain.",
+      "NIS2-Art21-patch-management": "Mobile endpoint patching not explicitly enumerated."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1203",
+      "T1068"
+    ],
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 5
+    },
+    "rwep_score": 80,
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-43300",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+      "https://support.apple.com/en-us/124925"
+    ],
+    "source_verified": "2026-05-18",
+    "last_updated": "2026-05-18",
+    "vendor_advisories": [
+      {
+        "vendor": "Apple",
+        "advisory_id": null,
+        "url": "https://support.apple.com/en-us/124925",
+        "severity": "high",
+        "published_date": "2025-08-20"
+      }
+    ],
+    "discovery_attribution_note": "Apple-internal disclosure; full attribution undisclosed. Source: https://nvd.nist.gov/vuln/detail/CVE-2025-43300",
+    "live_patch_tools": []
+  },
+  "CVE-2025-38352": {
+    "id": "CVE-2025-38352",
+    "name": "Android / Linux Kernel POSIX CPU Timer Race (sandbox-escape LPE)",
+    "type": "race-condition-lpe",
+    "cvss_score": 7.4,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
+    "cisa_kev": true,
+    "cisa_kev_date": "2025-09-04",
+    "cisa_kev_due_date": "2025-09-25",
+    "poc_available": true,
+    "poc_description": "Public 'chronomaly' PoC on GitHub (farazsth98/chronomaly) targets vulnerable x86_64 Linux kernels v5.10.x. Race between handle_posix_cpu_timers() and posix_cpu_timer_del() triggered when a task exits while CPU timers are being removed; improper exit_state handling opens an LPE window. Confirmed used as a zero-day to escape Android application sandbox.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Google Android Security Bulletin September 2025 attribution; no AI-tool credit.",
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "confirmed",
+    "affected": "Linux kernel including downstream Android kernels prior to the September 2025 patch level. Affects Android devices on patch levels < 2025-09-01.",
+    "affected_versions": [
+      "linux-kernel < 5.10.236",
+      "android-security-patch-level < 2025-09-01"
+    ],
+    "vector": "Local unprivileged process on Android (or Linux) exercises POSIX CPU timer race during task teardown to gain elevated privileges; chained with WebKit/Chrome renderer compromise for sandbox escape.",
+    "patch_available": true,
+    "patch_required_reboot": true,
+    "live_patch_available": true,
+    "live_patch_tools": [
+      "kpatch",
+      "canonical-livepatch"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-2": "Android device patch deployment cadence varies wildly by OEM (often 30-90 days behind Google bulletin) — KEV deadline cannot realistically bind non-Pixel devices.",
+      "ISO-27001-2022-A.8.8": "Mobile firmware patching timescales undefined; OEM-controlled.",
+      "NIS2-Art21-patch-management": "Mobile-OS estate patch SLA is exception territory in most NIS2 OES filings."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1068",
+      "T1611"
+    ],
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 28,
+      "patch_available": -15,
+      "live_patch_available": -10,
+      "reboot_required": 5
+    },
+    "rwep_score": 73,
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-38352",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+      "https://source.android.com/docs/security/bulletin/2025-09-01",
+      "https://github.com/farazsth98/chronomaly"
+    ],
+    "source_verified": "2026-05-18",
+    "last_updated": "2026-05-18",
+    "vendor_advisories": [
+      {
+        "vendor": "Google (Android)",
+        "advisory_id": "A-2025-09-01",
+        "url": "https://source.android.com/docs/security/bulletin/2025-09-01",
+        "severity": "high",
+        "published_date": "2025-09-02"
+      }
+    ],
+    "discovery_attribution_note": "Google Android Security Bulletin September 2025 attribution; no AI-tool credit. Source: https://nvd.nist.gov/vuln/detail/CVE-2025-38352"
+  },
+  "CVE-2025-55241": {
+    "id": "CVE-2025-55241",
+    "name": "Microsoft Entra ID Cross-Tenant Actor Token Impersonation",
+    "type": "cross-tenant-privilege-escalation",
+    "cvss_score": 10,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "kev_scope_note": "Not added to KEV — Microsoft fixed pre-disclosure (server-side) and no in-the-wild exploitation was observed prior to remediation. KEV scope ordinarily excludes cloud-control-plane bugs that were closed before any operator could act.",
+    "poc_available": false,
+    "poc_description": "Researcher (Dirk-Jan Mollema) demonstrated end-to-end Global Admin impersonation across arbitrary tenants. Microsoft patched server-side before public disclosure; no operator-side PoC exists post-fix because the attack surface has been removed.",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Researcher disclosure 2025-07-14; Microsoft global server-side fix 2025-07-17; additional hardening 2025-08-06; public disclosure September 2025.",
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "none",
+    "affected": "Microsoft Entra ID (formerly Azure Active Directory) tenants with the legacy Azure AD Graph API enabled. Pre-2025-07-17 service state.",
+    "affected_versions": [
+      "Entra ID cloud service pre-2025-07-17"
+    ],
+    "vector": "Attacker requests an undocumented 'Actor' token from a benign tenant; presents it to the legacy Azure AD Graph endpoint in a target tenant; the API fails to validate originating-tenant claim and authorizes the impersonated identity, bypassing MFA, Conditional Access, and API-level logging.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "framework_control_gaps": {
+      "NIST-800-53-AC-6": "Cross-tenant authority validation is not an enumerated control; least-privilege assumed within tenant boundary.",
+      "NIST-800-53-IA-8": "Identity-provider-side flaw escapes federation trust boundary assumptions.",
+      "ISO-27001-2022-A.5.15": "Access control bound to tenant identity; cross-tenant trust validation undefined.",
+      "EU-AI-Act-Art15": "Cloud-identity primitives underpinning agentic systems are not in scope; supply-chain identity validation gap."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1078.004",
+      "T1098"
+    ],
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 0,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 30,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_score": 15,
+    "verification_sources": [
+      "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55241",
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-55241",
+      "https://dirkjanm.io/",
+      "https://practical365.com/death-by-token-understanding-cve-2025-55241/"
+    ],
+    "source_verified": "2026-05-18",
+    "last_updated": "2026-05-18",
+    "vendor_advisories": [
+      {
+        "vendor": "Microsoft",
+        "advisory_id": "CVE-2025-55241",
+        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55241",
+        "severity": "critical",
+        "published_date": "2025-09-17"
+      }
+    ],
+    "discovery_attribution_note": "Researcher disclosure 2025-07-14; Microsoft global server-side fix 2025-07-17; additional hardening 2025-08-06; public disclosure September 2025. Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55241",
+    "live_patch_tools": []
+  },
+  "CVE-2025-21085": {
+    "id": "CVE-2025-21085",
+    "name": "Cisco Duo Authentication Proxy Credential Disclosure in Logs",
+    "type": "information-disclosure-credential",
+    "cvss_score": 5,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": true,
+    "poc_description": "No standalone exploit; abuse requires log-file read on the Duo Auth Proxy host. Real-world abuse depends on prior host access plus debug-level logging being enabled (Cisco PSIRT advisory and ldaptor CVE-2025-20345 dependency advisory).",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Vendor-internal discovery via Cisco PSIRT.",
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "none",
+    "affected": "Cisco Duo Authentication Proxy versions prior to 6.5.3 with debug-level logging enabled and LDAP/AD password-change operations in scope.",
+    "affected_versions": [
+      "duo-authproxy < 6.5.3"
+    ],
+    "vector": "Local authenticated attacker (or post-compromise lateral mover) reads authproxy.log to recover cleartext credentials emitted during LDAP/AD password-change operations.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "framework_control_gaps": {
+      "NIST-800-53-AU-9": "Log-content classification is operator-defined; sensitive-data-in-logs is a recurring pattern across identity middleware.",
+      "ISO-27001-2022-A.8.15": "Logging integrity vs sensitive-content separation underspecified.",
+      "PCI-DSS-4.0-10.5": "Logs containing authentication secrets violate scope-isolation assumptions."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1552.001",
+      "T1078"
+    ],
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 15,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_score": 20,
+    "verification_sources": [
+      "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-duo-auth-info-JgkSWBLz",
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-21085"
+    ],
+    "source_verified": "2026-05-18",
+    "last_updated": "2026-05-18",
+    "vendor_advisories": [
+      {
+        "vendor": "Cisco",
+        "advisory_id": "cisco-sa-duo-auth-info-JgkSWBLz",
+        "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-duo-auth-info-JgkSWBLz",
+        "severity": "medium",
+        "published_date": "2025-09-04"
+      }
+    ],
+    "discovery_attribution_note": "Vendor-internal discovery via Cisco PSIRT. Source: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-duo-auth-info-JgkSWBLz",
+    "live_patch_tools": []
+  },
+  "CVE-2025-1094": {
+    "id": "CVE-2025-1094",
+    "name": "PostgreSQL psql SQL Injection via Invalid UTF-8 → ACE",
+    "type": "sql-injection-rce",
+    "cvss_score": 8.1,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cisa_kev": true,
+    "cisa_kev_date": "2025-02-13",
+    "cisa_kev_due_date": "2025-03-06",
+    "poc_available": true,
+    "poc_description": "Public Rapid7 advisory + Metasploit module + ishwardeepp PoC on GitHub. Invalid-UTF-8 byte sequences interact with PostgreSQL string-escaping routines and psql meta-command processing to permit injection and arbitrary command execution. Exploited in BeyondTrust + US Treasury breaches.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Rapid7 disclosure during BeyondTrust incident triage; no AI-tool attribution.",
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "confirmed",
+    "affected": "PostgreSQL psql interactive tool < 17.3, < 16.7, < 15.11, < 14.16, < 13.19; libpq escaping path.",
+    "affected_versions": [
+      "postgresql < 17.3",
+      "postgresql < 16.7",
+      "postgresql < 15.11",
+      "postgresql < 14.16",
+      "postgresql < 13.19"
+    ],
+    "vector": "Attacker injects invalid UTF-8 byte sequences into input bound for psql; libpq escape-routine mishandling enables SQL injection, escalated to arbitrary command execution via psql meta-commands.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "framework_control_gaps": {
+      "NIST-800-53-SI-10": "Input-validation control assumes UTF-8 well-formedness; invalid-byte handling is implementation-defined.",
+      "PCI-DSS-4.0-6.2.4": "Critical-class injection patch SLA (30 days) insufficient for KEV+ACE+public-PoC.",
+      "ISO-27001-2022-A.8.28": "Secure coding for input validation; UTF-8 invalidity not enumerated.",
+      "NIS2-Art21-patch-management": "30-day patch window inconsistent with KEV deadline."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 27,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_score": 77,
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-1094",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+      "https://www.rapid7.com/blog/post/2025/02/13/cve-2025-1094-postgresql-psql-sql-injection-fixed/",
+      "https://www.postgresql.org/support/security/"
+    ],
+    "source_verified": "2026-05-18",
+    "last_updated": "2026-05-18",
+    "vendor_advisories": [
+      {
+        "vendor": "PostgreSQL Global Development Group",
+        "advisory_id": null,
+        "url": "https://www.postgresql.org/support/security/CVE-2025-1094/",
+        "severity": "high",
+        "published_date": "2025-02-13"
+      }
+    ],
+    "discovery_attribution_note": "Rapid7 disclosure during BeyondTrust incident triage; no AI-tool attribution. Source: https://nvd.nist.gov/vuln/detail/CVE-2025-1094",
+    "live_patch_tools": []
+  },
+  "CVE-2025-49844": {
+    "id": "CVE-2025-49844",
+    "name": "Redis Lua Use-After-Free RCE ('RediShell')",
+    "type": "use-after-free-rce",
+    "cvss_score": 10,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": true,
+    "poc_description": "Wiz Research disclosure with full technical details. 13-year-old UAF in Redis Lua interpreter; post-auth attacker sends crafted Lua script to escape sandbox and achieve native code execution. Default Redis deployments without auth enable unauthenticated exploitation.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Wiz Research disclosure (human-led); no AI-tool credit.",
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "suspected",
+    "affected": "Redis — all versions due to root-cause in shared Lua interpreter. Fix shipped in Redis 7.4.6 / 7.2.11 and downstream KeyDB / Valkey forks.",
+    "affected_versions": [
+      "redis <= 7.4.5",
+      "redis <= 7.2.10",
+      "valkey <= 7.2.x pre-fix"
+    ],
+    "vector": "Network-reachable Redis instance accepts a crafted Lua EVAL script that exploits a UAF in the Lua sandbox; sandbox-escape yields native code execution as the redis-server process.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "framework_control_gaps": {
+      "NIST-800-53-CM-7": "Default-deny on Lua scripting not enumerated; Redis ships with EVAL enabled.",
+      "ISO-27001-2022-A.8.9": "Configuration baselines for in-memory stores rarely disable Lua scripting.",
+      "PCI-DSS-4.0-6.3.3": "30-day SLA insufficient for CVSS:10.0 + 13-year backdoor-class regression.",
+      "OWASP-API-Security-Top-10-API8:2023": "Server-side script execution as data primitive is endemic to Redis."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1059.006"
+    ],
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 10,
+      "blast_radius": 28,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_score": 43,
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-49844",
+      "https://www.wiz.io/blog/wiz-research-redis-rce-cve-2025-49844",
+      "https://github.com/redis/redis/security/advisories"
+    ],
+    "source_verified": "2026-05-18",
+    "last_updated": "2026-05-18",
+    "vendor_advisories": [
+      {
+        "vendor": "Redis",
+        "advisory_id": null,
+        "url": "https://github.com/redis/redis/security/advisories",
+        "severity": "critical",
+        "published_date": "2025-10-06"
+      }
+    ],
+    "discovery_attribution_note": "Wiz Research disclosure (human-led); no AI-tool credit. Source: https://nvd.nist.gov/vuln/detail/CVE-2025-49844",
+    "live_patch_tools": []
+  },
+  "CVE-2025-14847": {
+    "id": "CVE-2025-14847",
+    "name": "MongoDB Server zlib Heap-Memory Disclosure ('MongoBleed')",
+    "type": "information-disclosure-heap",
+    "cvss_score": 7.5,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": true,
+    "poc_description": "Public exploit code observed; active opportunistic scanning of internet-exposed MongoDB instances reported. Mismatched length fields in zlib-compressed wire-protocol headers cause MongoDB Server to return uninitialized heap memory to unauthenticated clients.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Bitsight + MongoDB-coordinated disclosure; no AI-tool attribution.",
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "confirmed",
+    "affected": "MongoDB Server affected branches per vendor advisory; Bitsight enumerated multiple vulnerable releases across the 5.x / 6.x / 7.x / 8.x series.",
+    "affected_versions": [
+      "mongodb-server pre-2025-fix"
+    ],
+    "vector": "Unauthenticated remote attacker sends crafted compressed wire-protocol message with mismatched length fields; server replies with uninitialized heap memory (potentially containing prior request data, keys, document fragments).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "framework_control_gaps": {
+      "NIST-800-53-SC-28": "Encryption-at-rest controls don't address in-memory leak.",
+      "ISO-27001-2022-A.8.24": "Cryptographic protection in transit assumed; heap-disclosure escapes both.",
+      "PCI-DSS-4.0-3.5": "Cardholder data potentially exposed via uninitialized-memory leak even when at-rest encryption is correct.",
+      "GDPR-Art32": "Confidentiality-by-design control insufficient for memory-disclosure class."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1190",
+      "T1005"
+    ],
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 22,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_score": 47,
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-14847",
+      "https://www.mongodb.com/alerts",
+      "https://www.bitsight.com/blog/critical-vulnerability-alert-cve-2025-14847-mongodb-mongobleed"
+    ],
+    "source_verified": "2026-05-18",
+    "last_updated": "2026-05-18",
+    "vendor_advisories": [
+      {
+        "vendor": "MongoDB",
+        "advisory_id": null,
+        "url": "https://www.mongodb.com/alerts",
+        "severity": "high",
+        "published_date": "2025-11-19"
+      }
+    ],
+    "discovery_attribution_note": "Bitsight + MongoDB-coordinated disclosure; no AI-tool attribution. Source: https://nvd.nist.gov/vuln/detail/CVE-2025-14847",
+    "live_patch_tools": []
+  },
+  "CVE-2025-8671": {
+    "id": "CVE-2025-8671",
+    "name": "HTTP/2 'MadeYouReset' DoS (Rapid Reset successor)",
+    "type": "denial-of-service-protocol",
+    "cvss_score": 7.5,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": true,
+    "poc_description": "Public PoC tooling (moften/CVE-2025-8671-MadeYouReset-HTTP-2-DDoS). Attacker uses malformed WINDOW_UPDATE, PRIORITY, or DATA frames to trigger server-side stream resets while backend continues processing, bypassing MAX_CONCURRENT_STREAMS and exhausting resources. Disclosed 2025-08-13 by Tel Aviv University + Imperva researchers.",
+    "ai_discovered": false,
+    "ai_discovery_source": "academic_ai_fuzzing",
+    "ai_discovery_notes": "Tel Aviv University academic disclosure paired with Imperva production traffic analysis. ai_discovery_source set to academic_ai_fuzzing as the closest enum match for protocol-fuzzing research, though specific AI-fuzzing tool credit was not published.",
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "none",
+    "affected": "HTTP/2 implementations including Apache Tomcat, Netty (CVE-2025-55163), Varnish, Fastly, F5, SUSE-shipped libraries, Wind River. Estimated 2.8M+ internet-facing instances vulnerable.",
+    "affected_versions": [
+      "netty < 4.1.124.Final",
+      "tomcat-pre-fix",
+      "varnish-pre-fix",
+      "h2-implementations-pre-2025-08-13"
+    ],
+    "vector": "Remote unauthenticated attacker sends malformed HTTP/2 control frames over a single connection that cause the server to emit stream resets while keeping backend work in flight, bypassing concurrency limits.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "framework_control_gaps": {
+      "NIST-800-53-SC-5": "DoS-protection controls do not enumerate HTTP/2 stream-reset bypass class.",
+      "ISO-27001-2022-A.8.9": "Configuration baselines don't address HTTP/2 protocol implementation differences.",
+      "OWASP-API-Security-Top-10-API4:2023": "Rate-limiting at HTTP layer ineffective against per-connection HTTP/2 stream amplification.",
+      "NIS2-Art21-availability": "Availability-class threat under-specified for protocol-implementation bugs."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1498",
+      "T1499.001"
+    ],
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_score": 30,
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-8671",
+      "https://blog.cloudflare.com/madeyoureset-an-http-2-vulnerability-thwarted-by-rapid-reset-mitigations/",
+      "https://github.com/advisories/GHSA-prj3-ccx8-p6x4",
+      "https://thehackernews.com/2025/08/new-http2-madeyoureset-vulnerability.html"
+    ],
+    "source_verified": "2026-05-18",
+    "last_updated": "2026-05-18",
+    "vendor_advisories": [
+      {
+        "vendor": "Netty",
+        "advisory_id": "GHSA-prj3-ccx8-p6x4",
+        "url": "https://github.com/advisories/GHSA-prj3-ccx8-p6x4",
+        "severity": "high",
+        "published_date": "2025-08-13"
+      }
+    ],
+    "discovery_attribution_note": "Tel Aviv University academic disclosure paired with Imperva production traffic analysis. ai_discovery_source set to academic_ai_fuzzing as the closest enum match for protocol-fuzzing research, though specific AI-fuzzing tool credit was not published. Source: https://nvd.nist.gov/vuln/detail/CVE-2025-8671",
+    "live_patch_tools": []
+  },
+  "CVE-2025-6965": {
+    "id": "CVE-2025-6965",
+    "name": "SQLite Memory Corruption (Big Sleep AI pre-emptive discovery)",
+    "type": "memory-corruption-rce",
+    "cvss_score": 7.2,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": false,
+    "poc_description": "Pre-emptive disclosure — Google's Big Sleep AI agent identified the bug from threat-intelligence signals before any in-the-wild exploit landed. Google publicly stated this was 'the first time an AI agent has been used to directly foil efforts to exploit a vulnerability in the wild'.",
+    "ai_discovered": true,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_date": "2025-07-15",
+    "ai_discovery_notes": "Google DeepMind + Project Zero 'Big Sleep' AI agent. First documented AI-agent zero-day prevention. Integer overflow → array out-of-bounds read in SQLite < 3.50.2.",
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "suspected",
+    "affected": "SQLite versions prior to 3.50.2 — extremely broad downstream footprint (embedded systems, mobile OS, browsers, AI/ML pipelines, every Python/Node/Go runtime that uses SQLite).",
+    "affected_versions": [
+      "sqlite < 3.50.2"
+    ],
+    "vector": "Attacker who can inject arbitrary SQL statements into an application causes integer overflow yielding out-of-bounds array read; memory disclosure / corruption depending on context.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "framework_control_gaps": {
+      "NIST-800-53-SI-10": "Application-layer SQL filtering assumed; embedded-SQLite attack surface often invisible to AppSec scope.",
+      "ISO-27001-2022-A.8.28": "Secure-coding controls don't cover bundled-library memory-safety regressions.",
+      "EU-AI-Act-Art15": "AI-system robustness — discovered by AI, prevented by AI; framework has no concept of AI-defender attribution credit."
+    },
+    "atlas_refs": [
+      "AML.T0024"
+    ],
+    "attack_refs": [
+      "T1190"
+    ],
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 0,
+      "ai_factor": 15,
+      "active_exploitation": 10,
+      "blast_radius": 28,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_score": 38,
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-6965",
+      "https://thehackernews.com/2025/07/google-ai-big-sleep-stops-exploitation.html",
+      "https://cloud.google.com/blog/products/identity-security/cloud-ciso-perspectives-our-big-sleep-agent-makes-big-leap",
+      "https://www.sqlite.org/releaselog/3_50_2.html"
+    ],
+    "source_verified": "2026-05-18",
+    "last_updated": "2026-05-18",
+    "vendor_advisories": [
+      {
+        "vendor": "SQLite",
+        "advisory_id": null,
+        "url": "https://www.sqlite.org/releaselog/3_50_2.html",
+        "severity": "high",
+        "published_date": "2025-06-28"
+      }
+    ],
+    "discovery_attribution_note": "AI-surfaced by Google's 'Big Sleep' (DeepMind + Project Zero collaboration, Gemini-backed). Notable as the first AI-agent foil of an in-the-wild zero-day exploitation campaign. Hard Rule #7 anchor entry.",
+    "live_patch_tools": []
+  },
+  "CVE-2026-22778": {
+    "id": "CVE-2026-22778",
+    "name": "vLLM Multimodal Heap Overflow RCE via JPEG2000 / FFmpeg / OpenCV",
+    "type": "heap-overflow-rce",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": true,
+    "poc_description": "OX Security disclosure with full chain: malicious video URL submitted to vLLM API → OpenCV decodes via bundled FFmpeg 5.1.x → heap overflow in JPEG2000 decoder. Heap address leak primitive sourced from PIL error message in earlier vulnerable vLLM versions facilitates exploitation.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "OX Security human research disclosure.",
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "suspected",
+    "affected": "vLLM multimodal endpoints prior to 0.14.1; affects FFmpeg 5.1.x bundled inside OpenCV used for video decoding.",
+    "affected_versions": [
+      "vllm < 0.14.1"
+    ],
+    "vector": "Unauthenticated network attacker submits a malicious video URL to a vLLM multimodal API endpoint; bundled FFmpeg JPEG2000 decoder triggers a heap overflow yielding RCE as the vLLM service user (commonly running with GPU + model-weight access).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "framework_control_gaps": {
+      "NIST-800-53-SI-3": "Inference-server input validation not enumerated; multimodal-input surface novel to most AppSec programs.",
+      "EU-AI-Act-Art15": "AI-system robustness controls reference adversarial inputs but not host RCE via multimodal decoder.",
+      "ISO-IEC-42001-AIMS": "AI Management System standard lacks specific multimodal-input validation requirement.",
+      "ATLAS-AML.T0048": "ML supply chain — bundled-codec attack surface inside inference servers."
+    },
+    "atlas_refs": [
+      "AML.T0048",
+      "AML.T0010"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 10,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_score": 40,
+    "verification_sources": [
+      "https://www.ox.security/blog/cve-2026-22778-vllm-rce-vulnerability/",
+      "https://github.com/vllm-project/vllm/security/advisories",
+      "https://thecyberexpress.com/cve-2026-22778-vllm-rce-malicious-video-link/"
+    ],
+    "source_verified": "2026-05-18",
+    "last_updated": "2026-05-18",
+    "vendor_advisories": [
+      {
+        "vendor": "vLLM Project",
+        "advisory_id": null,
+        "url": "https://github.com/vllm-project/vllm/security/advisories",
+        "severity": "critical",
+        "published_date": "2026-01-15"
+      }
+    ],
+    "discovery_attribution_note": "OX Security human research disclosure. Source: https://www.ox.security/blog/cve-2026-22778-vllm-rce-vulnerability/",
+    "live_patch_tools": []
+  },
+  "CVE-2026-7482": {
+    "id": "CVE-2026-7482",
+    "name": "Ollama 'Bleeding Llama' Heap Memory Disclosure",
+    "type": "out-of-bounds-read-disclosure",
+    "cvss_score": 7.5,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": true,
+    "poc_description": "Crafted file upload to Ollama's model-quantization API causes out-of-bounds heap read; server process memory (potentially including model weights, conversation context, API keys) leaks to unauthenticated client.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Coordinated disclosure to Ollama security team.",
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "none",
+    "affected": "Ollama < 0.17.1 across all platforms (Linux, macOS, Windows).",
+    "affected_versions": [
+      "ollama < 0.17.1"
+    ],
+    "vector": "Unauthenticated network attacker uploads a specially crafted file to the Ollama API endpoint; quantization pipeline reads beyond allocated bounds and returns heap contents in response.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "framework_control_gaps": {
+      "NIST-800-53-AC-3": "Ollama ships with no default authentication; control assumes operator hardens deployment.",
+      "EU-AI-Act-Art10": "Data-governance controls do not enumerate model-server memory-disclosure class.",
+      "ISO-IEC-42001-AIMS": "AI management system lacks default-deny network exposure expectation for local-model servers.",
+      "OWASP-LLM-Top-10-LLM06": "Sensitive information disclosure — class-applies."
+    },
+    "atlas_refs": [
+      "AML.T0007"
+    ],
+    "attack_refs": [
+      "T1005",
+      "T1190"
+    ],
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 18,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_score": 23,
+    "verification_sources": [
+      "https://github.com/ollama/ollama/security/advisories",
+      "https://feedly.com/cve/vendors/ollama"
+    ],
+    "source_verified": "2026-05-18",
+    "last_updated": "2026-05-18",
+    "vendor_advisories": [
+      {
+        "vendor": "Ollama",
+        "advisory_id": null,
+        "url": "https://github.com/ollama/ollama/security/advisories",
+        "severity": "high",
+        "published_date": "2026-04-14"
+      }
+    ],
+    "discovery_attribution_note": "Coordinated disclosure to Ollama security team. Source: https://github.com/ollama/ollama/security/advisories",
+    "live_patch_tools": []
+  },
+  "CVE-2025-68664": {
+    "id": "CVE-2025-68664",
+    "name": "LangChain Core 'LangGrinch' Serialization Injection (Secret Extraction)",
+    "type": "deserialization-injection",
+    "cvss_score": 9.3,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": true,
+    "poc_description": "Cyata 'LangGrinch' writeup demonstrates end-to-end exploitation. dumps()/dumpd() do not escape free-form dictionaries containing the internal 'lc' key marker; attacker-controlled LLM response fields (additional_kwargs / response_metadata) are deserialized as legitimate LangChain objects, leaking secrets and enabling code execution paths.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Cyata research team discovery via prompt-injection attack-surface analysis.",
+    "ai_assisted_weaponization": true,
+    "ai_assisted_notes": "Exploitation depends on prompt-injection triggering an LLM to emit a payload-shaped response — i.e. the LLM IS the weaponization primitive.",
+    "active_exploitation": "suspected",
+    "affected": "LangChain Core prior to 1.2.5 / 0.3.81. Affects any agent pipeline that serializes LLM responses (most production LangChain deployments).",
+    "affected_versions": [
+      "langchain-core < 1.2.5",
+      "langchain-core < 0.3.81"
+    ],
+    "vector": "Prompt-injection-controlled LLM response content survives a dumps/dumpd → loads round-trip and is rehydrated as a LangChain object, enabling secret extraction and downstream RCE in pipelines that further evaluate the deserialized object.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "framework_control_gaps": {
+      "NIST-AI-RMF-MEASURE-2.7": "Prompt-injection-driven serialization round-trip not in published AI-risk taxonomy.",
+      "EU-AI-Act-Art15": "Robustness control does not enumerate serialization-deserialization chain as an attack surface.",
+      "ISO-IEC-42001-AIMS-A.6.2.5": "Lifecycle controls do not include LLM-output trust-zone separation.",
+      "OWASP-LLM-Top-10-LLM01": "Prompt Injection class — applies directly.",
+      "OWASP-LLM-Top-10-LLM02": "Insecure output handling — applies directly."
+    },
+    "atlas_refs": [
+      "AML.T0051",
+      "AML.T0040"
+    ],
+    "attack_refs": [
+      "T1059",
+      "T1552"
+    ],
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 15,
+      "active_exploitation": 10,
+      "blast_radius": 22,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_score": 52,
+    "verification_sources": [
+      "https://cyata.ai/blog/langgrinch-langchain-core-cve-2025-68664/",
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-68664",
+      "https://thehackernews.com/2025/12/critical-langchain-core-vulnerability.html",
+      "https://github.com/langchain-ai/langchain/security/advisories"
+    ],
+    "source_verified": "2026-05-18",
+    "last_updated": "2026-05-18",
+    "vendor_advisories": [
+      {
+        "vendor": "LangChain",
+        "advisory_id": null,
+        "url": "https://github.com/langchain-ai/langchain/security/advisories",
+        "severity": "critical",
+        "published_date": "2025-12-09"
+      }
+    ],
+    "discovery_attribution_note": "Cyata research team discovery via prompt-injection attack-surface analysis. Source: https://cyata.ai/blog/langgrinch-langchain-core-cve-2025-68664/",
+    "live_patch_tools": []
+  },
+  "CVE-2025-22224": {
+    "id": "CVE-2025-22224",
+    "name": "VMware ESXi/Workstation VMCI TOCTOU → VMX Host Code Execution",
+    "type": "toctou-vm-escape",
+    "cvss_score": 9.3,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
+    "cisa_kev": true,
+    "cisa_kev_date": "2025-03-04",
+    "cisa_kev_due_date": "2025-03-25",
+    "poc_available": true,
+    "poc_description": "In-the-wild exploit observed by Microsoft Threat Intelligence prior to disclosure. Huntress reported PDB-path evidence (folder '2024_02_19') suggesting the exploit chain pre-dates disclosure by ~12 months. Used in ransomware operations per CISA February 2026 follow-up.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Microsoft Threat Intelligence Center disclosure; no AI-tool attribution.",
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "confirmed",
+    "affected": "VMware ESXi 7.0, 8.0; VMware Workstation 17.x; VMware Fusion 13.x; Cloud Foundation 4.5/5.x; Telco Cloud Platform.",
+    "affected_versions": [
+      "esxi 7.0 < ESXi70U3s-24585291",
+      "esxi 8.0 < ESXi80U3d-24585383 / ESXi80U2d-24585300",
+      "workstation < 17.6.3",
+      "fusion < 13.6.3"
+    ],
+    "vector": "Local administrative privilege on a guest VM exploits TOCTOU race in VMCI (Virtual Machine Communication Interface) leading to out-of-bounds write in the VMX host process — VM escape to hypervisor.",
+    "patch_available": true,
+    "patch_required_reboot": true,
+    "live_patch_available": false,
+    "framework_control_gaps": {
+      "NIST-800-53-SC-39": "Hypervisor isolation control assumes guest-to-host boundary is intact; TOCTOU race breaks it.",
+      "ISO-27001-2022-A.8.21": "Network segregation assumed at the virtualization layer; VM-escape sidesteps.",
+      "PCI-DSS-4.0-2.2.3": "Multi-tenant segmentation premise violated.",
+      "NIS2-Art21-business-continuity": "Hypervisor compromise blast radius covers all tenants on the host.",
+      "FedRAMP-SC-7": "Boundary protection assumes hypervisor as trust anchor."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1611",
+      "T1068"
+    ],
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 30,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 5
+    },
+    "rwep_score": 85,
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-22224",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+      "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390",
+      "https://www.bleepingcomputer.com/news/security/broadcom-fixes-three-vmware-zero-days-exploited-in-attacks/"
+    ],
+    "source_verified": "2026-05-18",
+    "last_updated": "2026-05-18",
+    "vendor_advisories": [
+      {
+        "vendor": "Broadcom (VMware)",
+        "advisory_id": "VMSA-2025-0004",
+        "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390",
+        "severity": "critical",
+        "published_date": "2025-03-04"
+      }
+    ],
+    "discovery_attribution_note": "Microsoft Threat Intelligence Center disclosure; no AI-tool attribution. Source: https://nvd.nist.gov/vuln/detail/CVE-2025-22224",
+    "live_patch_tools": []
+  },
+  "CVE-2025-22225": {
+    "id": "CVE-2025-22225",
+    "name": "VMware ESXi Arbitrary Kernel Write (VM-escape chain, ransomware-active)",
+    "type": "arbitrary-kernel-write-vm-escape",
+    "cvss_score": 8.2,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
+    "cisa_kev": true,
+    "cisa_kev_date": "2025-03-04",
+    "cisa_kev_due_date": "2025-03-25",
+    "poc_available": true,
+    "poc_description": "Active exploitation by ransomware groups confirmed by CISA in February 2026 follow-up. Chained with CVE-2025-22224 (TOCTOU) and CVE-2025-22226 (memory leak) for full VM-escape → hypervisor-management access.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Microsoft Threat Intelligence Center co-disclosure.",
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "confirmed",
+    "affected": "VMware ESXi 7.0, 8.0; Cloud Foundation 4.5/5.x.",
+    "affected_versions": [
+      "esxi 7.0 < ESXi70U3s-24585291",
+      "esxi 8.0 < ESXi80U3d-24585383"
+    ],
+    "vector": "Local attacker inside the VMX process exploits arbitrary kernel-write primitive to write to ESXi kernel memory and execute as the hypervisor.",
+    "patch_available": true,
+    "patch_required_reboot": true,
+    "live_patch_available": false,
+    "framework_control_gaps": {
+      "NIST-800-53-SC-39": "Same hypervisor-isolation gap as CVE-2025-22224; ransomware-confirmed.",
+      "PCI-DSS-4.0-2.2.3": "Multi-tenant assumption violated.",
+      "ISO-27001-2022-A.8.21": "Network segregation assumed at the virtualization layer; chain breaks it.",
+      "DORA-Art10": "ICT third-party concentration risk realized at the hypervisor layer."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1611",
+      "T1068"
+    ],
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 30,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 5
+    },
+    "rwep_score": 85,
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-22225",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+      "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390",
+      "https://www.helpnetsecurity.com/2026/02/05/cisa-cve-2025-22225-ransomware-exploitation/"
+    ],
+    "source_verified": "2026-05-18",
+    "last_updated": "2026-05-18",
+    "vendor_advisories": [
+      {
+        "vendor": "Broadcom (VMware)",
+        "advisory_id": "VMSA-2025-0004",
+        "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390",
+        "severity": "high",
+        "published_date": "2025-03-04"
+      }
+    ],
+    "discovery_attribution_note": "Microsoft Threat Intelligence Center co-disclosure. Source: https://nvd.nist.gov/vuln/detail/CVE-2025-22225",
+    "live_patch_tools": []
+  },
+  "CVE-2025-22226": {
+    "id": "CVE-2025-22226",
+    "name": "VMware ESXi HGFS Memory Leak (VM-escape chain helper)",
+    "type": "information-disclosure-vm-escape",
+    "cvss_score": 7.1,
+    "cvss_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
+    "cisa_kev": true,
+    "cisa_kev_date": "2025-03-04",
+    "cisa_kev_due_date": "2025-03-25",
+    "poc_available": true,
+    "poc_description": "Third-in-chain CVE in the VMSA-2025-0004 cluster; HGFS (Host Guest File System) memory leak provides the heap-address oracle used to weaponize CVE-2025-22224 + CVE-2025-22225. Active exploitation confirmed by Broadcom as 'observed in attacks'.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Microsoft Threat Intelligence Center co-disclosure.",
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "confirmed",
+    "affected": "VMware ESXi 7.0, 8.0; Workstation 17.x; Fusion 13.x.",
+    "affected_versions": [
+      "esxi 7.0 < ESXi70U3s-24585291",
+      "esxi 8.0 < ESXi80U3d-24585383",
+      "workstation < 17.6.3",
+      "fusion < 13.6.3"
+    ],
+    "vector": "Local guest-admin reads VMX-process memory via HGFS leak primitive; supplies heap addresses for the TOCTOU + arbitrary-write CVEs in the same chain.",
+    "patch_available": true,
+    "patch_required_reboot": true,
+    "live_patch_available": false,
+    "framework_control_gaps": {
+      "NIST-800-53-SC-28": "Memory-protection control assumes process isolation; leak escapes.",
+      "ISO-27001-2022-A.8.24": "In-transit / at-rest crypto irrelevant to in-memory disclosure.",
+      "FedRAMP-SC-4": "Information in shared resources — direct violation."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1005",
+      "T1611"
+    ],
+    "rwep_factors": {
+      "cisa_kev": 25,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 5
+    },
+    "rwep_score": 80,
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-22226",
+      "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
+      "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390"
+    ],
+    "source_verified": "2026-05-18",
+    "last_updated": "2026-05-18",
+    "vendor_advisories": [
+      {
+        "vendor": "Broadcom (VMware)",
+        "advisory_id": "VMSA-2025-0004",
+        "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390",
+        "severity": "high",
+        "published_date": "2025-03-04"
+      }
+    ],
+    "discovery_attribution_note": "Microsoft Threat Intelligence Center co-disclosure. Source: https://nvd.nist.gov/vuln/detail/CVE-2025-22226",
+    "live_patch_tools": []
+  },
+  "MAL-2024-PYPI-ULTRALYTICS-XMRIG": {
+    "id": "MAL-2024-PYPI-ULTRALYTICS-XMRIG",
+    "name": "ultralytics PyPI Compromise → XMRig Cryptominer (60M-download AI library)",
+    "type": "supply-chain-cryptominer",
+    "cvss_score": 8.6,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:H",
+    "cvss_correction_note": "No NVD CVE assigned; CVSS synthesized per OSSF Malicious-Packages convention for an unauthenticated post-install code-execution against a ~60M-download package. UI:R because developer / CI must run `pip install`. S:C because compromised model-training environments exfiltrate training data / weights / cloud credentials.",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "kev_scope_note": "CISA KEV scope excludes ecosystem-package compromises without assigned CVE.",
+    "poc_available": true,
+    "poc_description": "Live malicious payload in ultralytics 8.3.41 and 8.3.42 (the first 'remediation' release inadvertently re-shipped the malicious code). XMRig cryptominer downloaded post-install via downloader code injected through a GitHub Actions script-injection in the build environment by openimbot.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "ReversingLabs + Wiz + HiddenLayer concurrent ecosystem-telemetry detection.",
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "confirmed",
+    "affected": "ultralytics 8.3.41 and 8.3.42 on PyPI (~60M monthly downloads, 30k+ GitHub stars). Clean release: 8.3.43.",
+    "affected_versions": [
+      "ultralytics==8.3.41",
+      "ultralytics==8.3.42"
+    ],
+    "vector": "GitHub Actions script-injection enabled openimbot to inject post-install downloader after code review; resulting wheel pulled XMRig from attacker infrastructure. Connection attribution: Hong Kong (per ultralytics maintainer disclosure).",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "framework_control_gaps": {
+      "NIST-800-218-SSDF-PO.4.2": "Build-environment hardening guidance generic; GitHub Actions script-injection class persists.",
+      "SLSA-3": "Build provenance attestation gap.",
+      "ISO-27001-2022-A.8.30": "Outsourced development control doesn't specifically address ecosystem-package build-pipeline injection.",
+      "EU-AI-Act-Art10": "Data governance — compromised AI library is in-scope but framework lacks supply-chain control prescription.",
+      "OpenSSF-Scorecard-PinnedDependenciesID": "Float-version installs propagate compromise instantly across consumer base."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011"
+    ],
+    "attack_refs": [
+      "T1195.002",
+      "T1496"
+    ],
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 28,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_score": 53,
+    "verification_sources": [
+      "https://www.reversinglabs.com/blog/compromised-ultralytics-pypi-package-delivers-crypto-coinminer",
+      "https://www.wiz.io/blog/ultralytics-ai-library-hacked-via-github-for-cryptomining",
+      "https://hiddenlayer.com/innovation-hub/ultralytics-python-package-compromise-deploys-cryptominer",
+      "https://github.com/ultralytics/ultralytics/security/advisories"
+    ],
+    "source_verified": "2026-05-18",
+    "last_updated": "2026-05-18",
+    "vendor_advisories": [
+      {
+        "vendor": "Ultralytics",
+        "advisory_id": null,
+        "url": "https://github.com/ultralytics/ultralytics/security/advisories",
+        "severity": "critical",
+        "published_date": "2024-12-05"
+      }
+    ],
+    "discovery_attribution_note": "ReversingLabs + Wiz + HiddenLayer concurrent ecosystem-telemetry detection. Source: https://www.reversinglabs.com/blog/compromised-ultralytics-pypi-package-delivers-crypto-coinminer",
+    "live_patch_tools": []
+  },
+  "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER": {
+    "id": "MAL-2026-RUBYGEMS-BUFFERZONECORP-SLEEPER",
+    "name": "BufferZoneCorp RubyGems + Go Module Sleeper-to-Payload Credential Theft Campaign",
+    "type": "supply-chain-credential-stealer-multi-ecosystem",
+    "cvss_score": 9.1,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
+    "cvss_correction_note": "No NVD CVE assigned; CVSS synthesized per OSSF Malicious-Packages convention. AV:N because payload reaches victims via RubyGems / Go module proxies. UI:R because CI / developer must run `bundle install` / `go get`. S:C because exfiltrated SSH keys, AWS creds, .npmrc, .netrc, GitHub CLI config, and RubyGems credentials extend blast radius beyond consuming process.",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "kev_scope_note": "CISA KEV scope excludes ecosystem-package compromises without assigned CVE.",
+    "poc_available": true,
+    "poc_description": "Live malicious packages — Ruby gems harvested env vars + SSH keys + AWS credentials + .npmrc + .netrc + GitHub CLI config + RubyGems credentials to a hidden C2 endpoint. Go modules modified GITHUB_ENV, poisoned GOPROXY, weakened checksum protections, tampered with go.sum, and planted fake `go` wrappers in workflow execution paths.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Socket.dev research disclosure; concurrent reporting by other supply-chain firms.",
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "confirmed",
+    "affected": "Ruby gems and Go modules published by GitHub account 'BufferZoneCorp' impersonating activesupport-logger, devise-jwt, go-retryablehttp, grpc-client, config-loader and similar utility brands. Packages have been yanked from RubyGems; Go modules blocked.",
+    "affected_versions": [
+      "activesupport-logger (BufferZoneCorp)",
+      "devise-jwt (BufferZoneCorp)",
+      "go-retryablehttp (BufferZoneCorp typosquat)",
+      "grpc-client (BufferZoneCorp typosquat)",
+      "config-loader (BufferZoneCorp typosquat)"
+    ],
+    "vector": "Sleeper-to-payload — packages published with clean README + minimal functionality, silently updated to malicious payload after trust accrual. Targets CI pipelines for credential theft + GitHub Actions tampering + SSH persistence.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "framework_control_gaps": {
+      "NIST-800-218-SSDF-PO.4.2": "Sleeper pattern defeats one-time package audit.",
+      "SLSA-3": "Build provenance ineffective against post-trust-accrual malicious update.",
+      "ISO-27001-2022-A.5.21": "Supplier security control depends on initial assessment; doesn't address temporal trust drift.",
+      "OpenSSF-Scorecard-PinnedDependenciesID": "Pinned dependency mitigates only if hash-pinned, not version-pinned.",
+      "PCI-DSS-4.0-6.3.2": "Bespoke / custom software inventory excludes transitive dependencies.",
+      "NIS2-Art21-supply-chain": "Supply-chain control assumes initial vetting; sleeper pattern not enumerated."
+    },
+    "atlas_refs": [
+      "AML.T0010"
+    ],
+    "attack_refs": [
+      "T1195.002",
+      "T1552",
+      "T1078.004"
+    ],
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_score": 50,
+    "verification_sources": [
+      "https://socket.dev/blog/malicious-ruby-gems-and-go-modules-steal-secrets-poison-ci",
+      "https://thehackernews.com/2026/05/poisoned-ruby-gems-and-go-modules.html",
+      "https://thehackernews.com/2026/05/rubygems-suspends-new-signups-after.html"
+    ],
+    "source_verified": "2026-05-18",
+    "last_updated": "2026-05-18",
+    "vendor_advisories": [
+      {
+        "vendor": "RubyGems",
+        "advisory_id": null,
+        "url": "https://blog.rubygems.org/",
+        "severity": "critical",
+        "published_date": "2026-05-12"
+      }
+    ],
+    "discovery_attribution_note": "Socket.dev research disclosure; concurrent reporting by other supply-chain firms. Source: https://socket.dev/blog/malicious-ruby-gems-and-go-modules-steal-secrets-poison-ci",
+    "live_patch_tools": []
+  },
+  "MAL-2025-PYPI-COLORAMA-SOLANA-STEALER": {
+    "id": "MAL-2025-PYPI-COLORAMA-SOLANA-STEALER",
+    "name": "PyPI Colorama Typosquat Campaign → Solana Credential / Crypto Stealer",
+    "type": "supply-chain-typosquat-credential-stealer",
+    "cvss_score": 8.6,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
+    "cvss_correction_note": "No NVD CVE assigned; CVSS synthesized per OSSF Malicious-Packages convention for typosquat campaign with confirmed credential exfiltration + cryptocurrency wallet theft. UI:R because developer must `pip install` the typosquat. S:C because exfiltrated browser data + crypto wallet keys + Solana ecosystem credentials extend blast radius beyond install host.",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "kev_scope_note": "CISA KEV excludes ecosystem-package compromises without assigned CVE.",
+    "poc_available": true,
+    "poc_description": "11 PyPI packages published by a single threat actor between 2025-05-04 and 2025-05-24, split across four payload variants targeting the Solana ecosystem (browser-stored credentials, crypto wallets, sensitive session cookies). Multiple downstream variants — coloramapkgsw, coloramapkgsdow, coloramashowtemp, coloramapkgs, readmecolorama, colorizator, coloraiz, and related — extend the colorama / colorizr typosquat pattern.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Imperva Threat Research + Checkmarx + Check Point ecosystem-telemetry detection.",
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "confirmed",
+    "affected": "PyPI typosquats of `colorama` (one of the most-installed Python packages, >150M downloads/month) and `colorizr`. Multiple variants since 2024; the May 2025 cluster specifically targeted Solana credentials.",
+    "affected_versions": [
+      "coloramapkgsw (all versions)",
+      "coloramapkgsdow (all versions)",
+      "coloramashowtemp (all versions)",
+      "coloramapkgs (all versions)",
+      "readmecolorama (all versions)",
+      "colorizator (all versions)",
+      "coloraiz (all versions)"
+    ],
+    "vector": "Developer typing `pip install colorama` mistypes / autocompletes onto a typosquat; install-time code exfiltrates browser-stored credentials, crypto wallets, Facebook/Telegram/Roblox session material, and Solana wallet artifacts.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "framework_control_gaps": {
+      "NIST-800-218-SSDF-PO.4.2": "Typosquat detection not enumerated in standard SSDF practices.",
+      "ISO-27001-2022-A.5.21": "Supplier control doesn't address ecosystem-name-confusion class.",
+      "OpenSSF-Scorecard-PinnedDependenciesID": "Pin-by-hash mitigates only at deploy time; install-time typosquat persists.",
+      "GDPR-Art32": "Confidentiality breach via developer-endpoint compromise underspecified."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1195.002",
+      "T1552",
+      "T1657"
+    ],
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 20,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_score": 45,
+    "verification_sources": [
+      "https://www.imperva.com/blog/pythons-colorama-typosquatting-meets-fade-stealer-malware/",
+      "https://checkmarx.com/zero-post/python-pypi-supply-chain-attack-colorama/",
+      "https://blog.checkpoint.com/securing-the-cloud/pypi-inundated-by-malicious-typosquatting-campaign/",
+      "https://thehackernews.com/2025/06/malicious-pypi-npm-and-ruby-packages.html"
+    ],
+    "source_verified": "2026-05-18",
+    "last_updated": "2026-05-18",
+    "vendor_advisories": [
+      {
+        "vendor": "PyPI",
+        "advisory_id": null,
+        "url": "https://pypi.org/security/",
+        "severity": "high",
+        "published_date": "2025-05-25"
+      }
+    ],
+    "discovery_attribution_note": "Imperva Threat Research + Checkmarx + Check Point ecosystem-telemetry detection. Source: https://www.imperva.com/blog/pythons-colorama-typosquatting-meets-fade-stealer-malware/",
+    "live_patch_tools": []
+  },
+  "CVE-2025-0133": {
+    "id": "CVE-2025-0133",
+    "name": "Palo Alto Networks GlobalProtect Reflected XSS (XBOW AI-discovered)",
+    "type": "reflected-xss-captive-portal",
+    "cvss_score": 5.1,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": true,
+    "poc_description": "XBOW writeup includes the discovery methodology; reflected XSS payload triggered via crafted link processed by GlobalProtect captive-portal. Allows execution of JavaScript in authenticated user's browser context enabling credential-phishing that originates from the legitimate VPN portal hostname.",
+    "ai_discovered": true,
+    "ai_discovery_source": "bug_bounty_ai_augmented",
+    "ai_discovery_date": "2025-05-14",
+    "ai_discovery_notes": "Discovered autonomously by XBOW autonomous-pentest AI during a HackerOne bug-bounty engagement scoped to the GlobalProtect web application. Notable because XBOW reached #1 on HackerOne US Q2 2025 leaderboard ahead of all human researchers in the same Vulnerability Disclosure Program ranking. Discovery affected over 2,000 internet-facing hosts at disclosure time.",
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "none",
+    "affected": "PAN-OS GlobalProtect gateway and portal. Cloud NGFW (all versions), PAN-OS 11.2 < 11.2.7, PAN-OS 11.1 < 11.1.11, PAN-OS 10.2 < 10.2.17, PAN-OS 10.1 (all versions, EoL — no fix).",
+    "affected_versions": [
+      "pan-os 11.2 < 11.2.7",
+      "pan-os 11.1 < 11.1.11",
+      "pan-os 10.2 < 10.2.17",
+      "pan-os 10.1 (all)"
+    ],
+    "vector": "Authenticated captive-portal user clicks crafted link; reflected XSS executes JavaScript inside the GlobalProtect portal origin enabling session theft / credential phishing.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "framework_control_gaps": {
+      "NIST-800-53-SI-10": "Input validation control assumes static-analysis coverage; AI-discovery surfaced bugs missed by conventional tooling.",
+      "ISO-27001-2022-A.8.28": "Secure coding controls do not enumerate AI-assisted discovery as a positive defense modality.",
+      "OWASP-Top-10-2021-A03": "Injection class — XSS in security-control-plane software.",
+      "EU-AI-Act-Art15": "Robustness control does not address AI-assisted-discovery contribution credit."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1059.007",
+      "T1539"
+    ],
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 15,
+      "active_exploitation": 0,
+      "blast_radius": 18,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_score": 38,
+    "verification_sources": [
+      "https://security.paloaltonetworks.com/CVE-2025-0133",
+      "https://xbow.com/blog/xbow-globalprotect-xss",
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-0133"
+    ],
+    "source_verified": "2026-05-18",
+    "last_updated": "2026-05-18",
+    "vendor_advisories": [
+      {
+        "vendor": "Palo Alto Networks",
+        "advisory_id": "PAN-SA-2025-0001",
+        "url": "https://security.paloaltonetworks.com/CVE-2025-0133",
+        "severity": "medium",
+        "published_date": "2025-05-14"
+      }
+    ],
+    "discovery_attribution_note": "AI-surfaced by XBOW autonomous-pentest agent during HackerOne VDP engagement. First publicly-attributed AI-tool CVE against Palo Alto. Hard Rule #7 anchor.",
+    "live_patch_tools": []
+  },
+  "CVE-2025-59529": {
+    "id": "CVE-2025-59529",
+    "name": "Avahi Simple Protocol Server Connection-Limit DoS (ZeroPath AI-discovered)",
+    "type": "business-logic-dos",
+    "cvss_score": 6.5,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": true,
+    "poc_description": "ZeroPath writeup includes reproduction details; avahi-daemon Simple Protocol Server continues accepting clients after the configured connection limit should have engaged, allowing local resource exhaustion via repeated connections.",
+    "ai_discovered": true,
+    "ai_discovery_source": "bug_bounty_ai_augmented",
+    "ai_discovery_date": "2025-09-23",
+    "ai_discovery_notes": "Discovered by ZeroPath's AI-powered SAST during code analysis of the Avahi project. Classified as a business-logic vulnerability — the type that traditional pattern-based SAST tools typically miss. Part of ZeroPath's broader portfolio of AI-discovered CVEs spanning Avahi, curl, and other infrastructure components.",
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "none",
+    "affected": "Avahi (mDNS / DNS-SD service-discovery daemon) deployed with Simple Protocol Server enabled; ubiquitous on Linux desktops, IoT devices, and embedded systems.",
+    "affected_versions": [
+      "avahi pre-fix"
+    ],
+    "vector": "Local or network-reachable attacker (where avahi-daemon is exposed) opens repeated Simple Protocol connections; daemon ignores connection-cap configuration and exhausts file descriptors / memory, denying service-discovery on the host.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "framework_control_gaps": {
+      "NIST-800-53-SC-5": "Default-allow connection acceptance behaviour escapes generic DoS-protection control.",
+      "ISO-27001-2022-A.8.9": "Configuration baseline assumes configured-limit-enforced; business-logic bypass not enumerated.",
+      "ENISA-IoT-security-baseline": "IoT-device service-discovery hardening unspecified for business-logic class.",
+      "EU-AI-Act-Art15": "Framework does not credit AI-assisted-defender finding."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1499.002"
+    ],
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 15,
+      "active_exploitation": 0,
+      "blast_radius": 15,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_score": 35,
+    "verification_sources": [
+      "https://zeropath.com/blog/avahi-simple-protocol-server-dos-cve-2025-59529",
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-59529",
+      "https://github.com/avahi/avahi/security/advisories"
+    ],
+    "source_verified": "2026-05-18",
+    "last_updated": "2026-05-18",
+    "vendor_advisories": [
+      {
+        "vendor": "Avahi",
+        "advisory_id": null,
+        "url": "https://github.com/avahi/avahi/security/advisories",
+        "severity": "medium",
+        "published_date": "2025-09-23"
+      }
+    ],
+    "discovery_attribution_note": "AI-surfaced by ZeroPath SAST agent. Notable as a business-logic class detection — the category most resistant to conventional SAST and most accelerated by LLM-driven analysis. Hard Rule #7 anchor.",
+    "live_patch_tools": []
+  },
+  "CVE-2025-55319": {
+    "id": "CVE-2025-55319",
+    "name": "Visual Studio Code Agentic-AI Command Injection (ZeroPath AI-discovered)",
+    "type": "command-injection-agentic",
+    "cvss_score": 7.4,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": true,
+    "poc_description": "ZeroPath writeup demonstrates command-injection path through VS Code's agentic-AI integration where adversarial tool / instruction content reaches a shell execution primitive.",
+    "ai_discovered": true,
+    "ai_discovery_source": "bug_bounty_ai_augmented",
+    "ai_discovery_date": "2025-09-09",
+    "ai_discovery_notes": "Discovered and reported by ZeroPath AI-SAST analyzing the VS Code agentic-AI surface. Notable because the discovered bug exists IN the AI-tooling integration layer — AI defender finding bugs in AI-assistant surfaces.",
+    "ai_assisted_weaponization": true,
+    "ai_assisted_notes": "Exploitation can be triggered by adversarial content in tool responses or MCP server messages — i.e. the AI agent IS the weaponization primitive that escalates a crafted input into a shell command.",
+    "active_exploitation": "none",
+    "affected": "Visual Studio Code agentic-AI feature surface prior to vendor fix; affects developer workstations using GitHub Copilot Chat / MCP-integrated AI agents inside VS Code.",
+    "affected_versions": [
+      "vscode pre-fix"
+    ],
+    "vector": "Adversarial content in an AI tool response or external MCP server message reaches a shell-execution primitive inside VS Code's agentic integration, executing attacker-controlled commands as the developer.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "framework_control_gaps": {
+      "NIST-AI-RMF-MEASURE-2.7": "Prompt-injection-to-shell pathway underspecified in AI-RMF measurement guidance.",
+      "EU-AI-Act-Art15": "Agentic-AI host-execution boundary not enumerated as a robustness control.",
+      "ISO-IEC-42001-AIMS-A.6.2.5": "AI lifecycle controls don't address IDE-resident agentic primitives.",
+      "OWASP-LLM-Top-10-LLM01": "Prompt Injection — directly applicable.",
+      "OWASP-LLM-Top-10-LLM05": "Improper Output Handling — directly applicable.",
+      "OWASP-LLM-Top-10-LLM07": "Insecure Plugin Design — directly applicable to MCP integration class."
+    },
+    "atlas_refs": [
+      "AML.T0051"
+    ],
+    "attack_refs": [
+      "T1059"
+    ],
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 15,
+      "active_exploitation": 0,
+      "blast_radius": 20,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_score": 40,
+    "verification_sources": [
+      "https://zeropath.com/blog/cve-2025-55319-agentic-ai-vscode-command-injection",
+      "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55319",
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-55319"
+    ],
+    "source_verified": "2026-05-18",
+    "last_updated": "2026-05-18",
+    "vendor_advisories": [
+      {
+        "vendor": "Microsoft",
+        "advisory_id": "CVE-2025-55319",
+        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55319",
+        "severity": "high",
+        "published_date": "2025-09-09"
+      }
+    ],
+    "discovery_attribution_note": "AI-surfaced by ZeroPath. Doubly-relevant: AI-defender finds bug in AI-agentic IDE integration. ai_assisted_weaponization=true because the AI agent IS the weaponization primitive — qualifies under both Hard Rule #7 limbs.",
+    "live_patch_tools": []
+  },
+  "CVE-2025-53767": {
+    "id": "CVE-2025-53767",
+    "name": "Azure OpenAI SSRF Privilege Escalation (ZeroPath AI-discovered)",
+    "type": "ssrf-privilege-escalation",
+    "cvss_score": 8.7,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": false,
+    "poc_description": "ZeroPath writeup details SSRF chain in Azure OpenAI service surface enabling privilege escalation. Microsoft fixed server-side before public PoC; no operator-side reproduction available post-fix.",
+    "ai_discovered": true,
+    "ai_discovery_source": "bug_bounty_ai_augmented",
+    "ai_discovery_date": "2025-08-19",
+    "ai_discovery_notes": "Discovered by ZeroPath AI agent analyzing Azure OpenAI service attack surface. Fixed in Microsoft-managed cloud service; no operator action required post-patch.",
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "none",
+    "affected": "Azure OpenAI service (Microsoft-managed cloud). Pre-2025-08-19 service state.",
+    "affected_versions": [
+      "azure-openai pre-2025-08-19"
+    ],
+    "vector": "Authenticated low-privilege tenant user issues SSRF request that crosses the cloud-tenant boundary, escalating into administrative or cross-tenant context within the Azure OpenAI control plane.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "framework_control_gaps": {
+      "NIST-800-53-SC-7": "Boundary protection assumes east-west traffic within cloud-tenant boundary is filtered; SSRF crosses it.",
+      "FedRAMP-AC-4": "Information flow control assumed tenant-isolated.",
+      "EU-AI-Act-Art15": "Robustness control does not enumerate AI-service control-plane SSRF.",
+      "OWASP-Top-10-2021-A10": "SSRF — directly applicable.",
+      "ISO-IEC-42001-AIMS": "AI Management System silent on managed-AI-service supply chain risk."
+    },
+    "atlas_refs": [
+      "AML.T0024",
+      "AML.T0047"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1078.004"
+    ],
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 0,
+      "ai_factor": 15,
+      "active_exploitation": 0,
+      "blast_radius": 22,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_score": 22,
+    "verification_sources": [
+      "https://zeropath.com/blog/cve-2025-53767",
+      "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53767",
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-53767"
+    ],
+    "source_verified": "2026-05-18",
+    "last_updated": "2026-05-18",
+    "vendor_advisories": [
+      {
+        "vendor": "Microsoft",
+        "advisory_id": "CVE-2025-53767",
+        "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53767",
+        "severity": "critical",
+        "published_date": "2025-08-19"
+      }
+    ],
+    "discovery_attribution_note": "AI-surfaced by ZeroPath against Azure OpenAI control plane. Hard Rule #7 anchor and identity-class adjacent (cloud-tenant control plane).",
+    "live_patch_tools": []
+  },
+  "CVE-2025-10725": {
+    "id": "CVE-2025-10725",
+    "name": "Red Hat OpenShift AI Privilege Escalation (ZeroPath AI-discovered)",
+    "type": "privilege-escalation-rbac",
+    "cvss_score": 8.1,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": false,
+    "poc_description": "ZeroPath writeup details RBAC privilege-escalation primitive in OpenShift AI control plane. Vendor patched before publishing PoC artifacts.",
+    "ai_discovered": true,
+    "ai_discovery_source": "bug_bounty_ai_augmented",
+    "ai_discovery_date": "2025-09-29",
+    "ai_discovery_notes": "Discovered by ZeroPath AI agent analyzing OpenShift AI integration surface. Highlights the AI-platform supply chain class — AI-defender finding bugs in AI-deployment platforms.",
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "none",
+    "affected": "Red Hat OpenShift AI prior to vendor fix; affects managed-Kubernetes AI deployments.",
+    "affected_versions": [
+      "openshift-ai pre-fix"
+    ],
+    "vector": "Authenticated low-privilege tenant user leverages RBAC primitive to escalate privileges across the OpenShift AI control-plane boundary.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "framework_control_gaps": {
+      "NIST-800-53-AC-6": "Least-privilege enforced at conventional Kubernetes RBAC layer; AI-platform overlay extends attack surface.",
+      "FedRAMP-AC-3": "Access enforcement at API server assumed; OpenShift AI overlay introduces additional control plane.",
+      "EU-AI-Act-Art15": "AI-platform deployment surface not enumerated in robustness controls.",
+      "ISO-IEC-42001-AIMS-A.6.2.5": "AI lifecycle controls don't address managed-AI-platform tenant isolation."
+    },
+    "atlas_refs": [
+      "AML.T0024"
+    ],
+    "attack_refs": [
+      "T1068",
+      "T1098.003"
+    ],
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 0,
+      "ai_factor": 15,
+      "active_exploitation": 0,
+      "blast_radius": 20,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_score": 20,
+    "verification_sources": [
+      "https://zeropath.com/blog/cve-2025-10725-redhat-openshift-ai-privilege-escalation",
+      "https://access.redhat.com/security/cve/CVE-2025-10725",
+      "https://nvd.nist.gov/vuln/detail/CVE-2025-10725"
+    ],
+    "source_verified": "2026-05-18",
+    "last_updated": "2026-05-18",
+    "vendor_advisories": [
+      {
+        "vendor": "Red Hat",
+        "advisory_id": null,
+        "url": "https://access.redhat.com/security/cve/CVE-2025-10725",
+        "severity": "high",
+        "published_date": "2025-09-29"
+      }
+    ],
+    "discovery_attribution_note": "AI-surfaced by ZeroPath against Red Hat OpenShift AI. Hard Rule #7 anchor — AI-defender finding bugs in AI-deployment platform.",
+    "live_patch_tools": []
+  },
+  "MAL-2025-AI-FOUND-FFMPEG-BIGSLEEP": {
+    "id": "MAL-2025-AI-FOUND-FFMPEG-BIGSLEEP",
+    "name": "Big Sleep AI Open-Source 20-Vulnerability Disclosure Tranche (FFmpeg + ImageMagick + others)",
+    "type": "ai-discovered-tranche-multi-cve",
+    "cvss_score": 7.5,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_correction_note": "Composite entry covering the August 2025 Big Sleep tranche. Individual CVE-level CVSS varies; representative high-severity media-decoder bug used as anchor. Per-CVE detail still being published by Google as the tranche disclosure unfolds.",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "poc_available": false,
+    "poc_description": "Pre-emptive AI-agent discovery; no public PoCs at disclosure time. Bugs reported through standard upstream-vendor responsible-disclosure channels with patches landing before public PoC publication.",
+    "ai_discovered": true,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_date": "2025-08-04",
+    "ai_discovery_notes": "Google DeepMind + Project Zero 'Big Sleep' AI agent (Gemini-backed) reported the first 20 vulnerabilities it found, disclosed publicly by Heather Adkins on 2025-08-04. Targets included FFmpeg media library and ImageMagick editing suite — both with massive downstream redistribution surface.",
+    "ai_assisted_weaponization": false,
+    "active_exploitation": "none",
+    "affected": "FFmpeg, ImageMagick, and other open-source media / utility libraries enumerated in the Big Sleep August 2025 tranche.",
+    "affected_versions": [
+      "ffmpeg pre-tranche-fix",
+      "imagemagick pre-tranche-fix"
+    ],
+    "vector": "Varies per CVE in tranche; representative path is memory-corruption in media-decoder triggered by crafted file processed via library API.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "framework_control_gaps": {
+      "NIST-800-218-SSDF-PW.7.1": "Code review by automated tools — frameworks lack specific 'AI-discovery' attribution model.",
+      "EU-AI-Act-Art15": "Framework does not enumerate AI-as-defender contribution to robustness control.",
+      "ISO-IEC-42001-AIMS": "AI Management System silent on AI-vulnerability-discovery as a positive control surface.",
+      "OWASP-SAMM-Code-Review": "AI-tooling not enumerated as a SAMM code-review modality."
+    },
+    "atlas_refs": [
+      "AML.T0024"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1203"
+    ],
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 0,
+      "ai_factor": 15,
+      "active_exploitation": 0,
+      "blast_radius": 20,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_score": 20,
+    "verification_sources": [
+      "https://cloud.google.com/blog/products/identity-security/cloud-ciso-perspectives-our-big-sleep-agent-makes-big-leap",
+      "https://blog.google/innovation-and-ai/technology/safety-security/cybersecurity-updates-summer-2025/",
+      "https://winbuzzer.com/2025/08/05/googles-big-sleep-ai-agent-finds-20-new-open-source-vulnerabilities-xcxwbn/"
+    ],
+    "source_verified": "2026-05-18",
+    "last_updated": "2026-05-18",
+    "vendor_advisories": [
+      {
+        "vendor": "Google (Big Sleep)",
+        "advisory_id": null,
+        "url": "https://cloud.google.com/blog/products/identity-security/cloud-ciso-perspectives-our-big-sleep-agent-makes-big-leap",
+        "severity": "informational",
+        "published_date": "2025-08-04"
+      }
+    ],
+    "discovery_attribution_note": "Composite / tranche entry covering the Big Sleep FFmpeg + ImageMagick AI-tool zero-day finds (Google DeepMind + Project Zero). Operator action: when the per-CVE detail becomes available, split this into individual catalog entries and retire the composite. Anchor entry for Hard Rule #7 (AI-discovery rate).",
+    "live_patch_tools": []
   }
 }